Closed qq1176914912 closed 5 months ago
This exception is thrown because the Identity Server cannot retrieve the client certificate
Can you check in the appsettings.json
file if the ClientCertificate
property is set to AllowCertificate
?
This exception is thrown because the Identity Server cannot retrieve the client certificate Can you check in the
appsettings.json
file if theClientCertificate
property is set toAllowCertificate
?
Yes, you're right. We need to change the "ClientVerificateMode" attribute of 5001 to "AllowCertificate": And the LoginHint must have a user (login account) present in the network But I found an issue: Normally, according to your tutorial, when you receive a green message on 5001, go to the browser to verify and log in. The entered account should be the account configured in the program, which in this example is MobileUser: But I found that it's normal to log in with another account without using "mobileUser"?
I found that when adding a client on 5002, if the client already exists, it can still be added normally. After successful addition, the client cannot be edited or deleted, and can only be manually deleted from the database.
I tried to change the "metadata URL" of the built-in client "samlSp" and found an issue: You can see that it is now“ http://localhost:5125/Metadata ”When I tried to change HTTP to HTTPS, it showed that the update was successful, but the page changed back to HTTP: Actually, the modification was successful and we need to refresh the page to display the content we modified.
CIBA
Indeed, the pending backchannel authorization request must only be validated by the mobileUser
user.
I have made several modifications to the master branch to address this issue and others.
Duplicate Client
I have implemented additional checks to prevent the addition of two clients with the same ClientId.
Metadata URL Not Updated
The store has been fixed, and the property is now correctly updated.
CIBA
Indeed, the pending backchannel authorization request must only be validated by the
mobileUser
user. I have made several modifications to the master branch to address this issue and others.Duplicate Client
I have implemented additional checks to prevent the addition of two clients with the same ClientId.
Metadata URL Not Updated
The store has been fixed, and the property is now correctly updated.
Thank you for your response. After testing, the issue has been resolved.
1、 I followed your tutorial: https://simpleidserver.com/docs/tutorial/grantmgt There was an issue with testing your sample: Certificate: One of the certificates has been installed in the "Trusted Root Certification Authority" location on the local computer (as I have previously tested your previous project, there are also root certificates installed locally for the projects "Highly Secure Regular Web Application" and "CIBA").And the value of "ClientCertificate Mode" in the 5001 app setting has been set to "AllowCertificate". The JSON generated during the creation of the client has been replaced: After starting the project, when redirecting to the login page and clicking the login button, an error message appears: Error message:
InvalidOperationException: Sequence contains no matching element System.Linq.ThrowHelper.ThrowNoMatchException() System.Linq.Enumerable.First
(IEnumerable source, Func<TSource, bool> predicate) SimpleIdServer.IdServer.UI.ConsentsController+<>cDisplayClass10_0+< g__BuildConsentsFromGrant|0>d.MoveNext() in ConsentsController.cs var grant = user.Consents.First(c => c.Id == grantId); SimpleIdServer.IdServer.UI.ConsentsController.Index(string prefix, string returnUrl, bool isProtected, CancellationToken cancellationToken) in ConsentsController.cs return View(await BuildConsentsFromGrant(query, oauthClient, grantId)); Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor+TaskOfIActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, object controller, object[] arguments) System.Threading.Tasks.ValueTask Awaited|12_0(ControllerActionInvoker invoker, ValueTask.get_Result() Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker. g actionResultValueTask) Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker. gAwaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted) Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted) Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker. g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted) Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted) Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync() Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker. Logged|17_1(ResourceInvoker invoker) Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g g__Logged|17_1(ResourceInvoker invoker) Microsoft.AspNetCore.Routing.EndpointMiddleware. g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) SimpleIdServer.IdServer.Swagger.SidSwaggerUIMiddleware.Invoke(HttpContext httpContext) in SIDSwaggerUIMiddleware.cs await _staticFileMiddleware.Invoke(httpContext); SimpleIdServer.IdServer.Swagger.SIDSwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider) in SIDSwaggerMiddleware.cs await _next(httpContext); SimpleIdServer.IdServer.Middlewares.MtlsAuthenticationMiddleware.InvokeAsync(HttpContext context) in MtlsAuthenticationMiddleware.cs await _next.Invoke(context); Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) SimpleIdServer.IdServer.Middlewares.LanguageMiddleware.InvokeAsync(HttpContext context) in LanguageMiddleware.cs await _requestDelegate.Invoke(context); SimpleIdServer.IdServer.Middlewares.RealmMiddleware.InvokeAsync(HttpContext context) in RealmMiddleware.cs await _next.Invoke(context); Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
2、I found that the following content is mentioned in the introduction of "Highly Secure Regular Web Application" and "Grant Management": Some of the content can be found when configuring the client on 5002, but some do not know what the corresponding content is. For example, can the "Client Authentication Method" parameter also be configured on the 5002 client location, or is it an included parameter that is not displayed? Could you please explain which content corresponds to 5002 in the table? 3、When the ClientCertificate Mode value of the 5001 app setting is set to "AllowCertificate", normally speaking, when I use seamless browsing to access the 5002 redirect login, should a certificate selection window pop up (I don't know if there is a problem in my understanding), but I don't know why. Even if I use seamless browsing now, the certificate selection page will not appear. I don't know if it is due to the problem that occurred after testing your sample today, I tested "RequestAccess Token M2M" and "HighlySecuredServersideWebsite" today. I don't know if the error above is related to the incorrect certificate selection by the browser.
Grant Management Exception
The issue has been resolved in the master
branch; the Grant Request was not saved.
Client's Configuration
Both tables list the properties of the new client once the creation formula is completed. To facilitate the creation process, and in alignment with FAPI 2.0 security best practices, not all properties are displayed during creation and are automatically assigned.
Grant management
Configuration | Value | Required |
---|---|---|
Client Authentication Method | tls_client_auth | Required by FAPI2.0 |
Authorization Signed Response Algorithm | ES256 | Required by FAPI2.0 |
Identity Token Signed Response Algorithm | ES256 | Required by FAPI2.0 |
Request Object Signed Response Algorithm | ES256 | Required by FAPI2.0 |
Pushed Authorization Request | Yes | Required by FAPI2.0 |
Response Mode | JWT | Required by FAPI2.0 |
Authorization Data Types | account_information | Editable |
scopes | grant_management_query grant_management_revoke openid profile | Required by FAPI2.0 |
Highly Secured Regular Web application
Configuration | Value | Required |
---|---|---|
Client Authentication Method | tls_client_auth | Required by FAPI2.0 |
Authorization Signed Response Algorithm | ES256 | Required by FAPI2.0 |
Identity Token Signed Response Algorithm | ES256 | Required by FAPI2.0 |
Request Object Signed Response Algorithm | ES256 | Required by FAPI2.0 |
Pushed Authorization Request | Yes | Required by FAPI2.0 |
Response Mode | JWT | Required by FAPI2.0 |
Client certificate
A certificate window is displayed in your browser because the Kerstel Server accepts Client Certificates. When a client certificate is chosen, it will be retained by your web browser in its cache; therefore, the popup window is not displayed. It is not a problem that the popup window is not displayed because the client certificate is always passed by an HTTPCLIENT in C#.
Grant Management Exception
The issue has been resolved in the
master
branch; the Grant Request was not saved.Client's Configuration
Both tables list the properties of the new client once the creation formula is completed. To facilitate the creation process, and in alignment with FAPI 2.0 security best practices, not all properties are displayed during creation and are automatically assigned.
Grant management
Configuration Value Required Client Authentication Method tls_client_auth Required by FAPI2.0 Authorization Signed Response Algorithm ES256 Required by FAPI2.0 Identity Token Signed Response Algorithm ES256 Required by FAPI2.0 Request Object Signed Response Algorithm ES256 Required by FAPI2.0 Pushed Authorization Request Yes Required by FAPI2.0 Response Mode JWT Required by FAPI2.0 Authorization Data Types account_information Editable scopes grant_management_query grant_management_revoke openid profile Required by FAPI2.0 Highly Secured Regular Web application
Configuration Value Required Client Authentication Method tls_client_auth Required by FAPI2.0 Authorization Signed Response Algorithm ES256 Required by FAPI2.0 Identity Token Signed Response Algorithm ES256 Required by FAPI2.0 Request Object Signed Response Algorithm ES256 Required by FAPI2.0 Pushed Authorization Request Yes Required by FAPI2.0 Response Mode JWT Required by FAPI2.0 Client certificate
A certificate window is displayed in your browser because the Kerstel Server accepts Client Certificates. When a client certificate is chosen, it will be retained by your web browser in its cache; therefore, the popup window is not displayed. It is not a problem that the popup window is not displayed because the client certificate is always passed by an HTTPCLIENT in C#.
Thank you for your response. There is a case of CIBA, his login process, he needs to get the green message in 5001 instance, I found that there is also a console in ACRS that also gets the green message in 5001, the question I have is, I am a developer, I can find this green message in 5001 black box and copy it out, what is the user going to do?
The green message is displayed in the console application when your configured client/relying party wishes to perform certain types of actions on behalf of the end-user. For example, confirming a bank transfer. The link displayed in the console application must be accessed by the end-user. Once the consent has been accepted, the relying party can proceed with the action.
By default, user accounts are configured to use the console
application as a notification channel.
However, you can choose another channel to send the consent/link, such as SMS, email, or Firebase. The notification mode can be updated in the User details
view.
The green message is displayed in the console application when your configured client/relying party wishes to perform certain types of actions on behalf of the end-user. For example, confirming a bank transfer. The link displayed in the console application must be accessed by the end-user. Once the consent has been accepted, the relying party can proceed with the action.
By default, user accounts are configured to use the
console
application as a notification channel. However, you can choose another channel to send the consent/link, such as SMS, email, or Firebase. The notification mode can be updated in theUser details
view.
I see this option: I did the following: First, the "mobileUser" account has been added to the phone: Then change the "Notification mode" to "sms"or"email": Then add console to acrs: Enter and send the verification code: 1、He did not configure the sms verification code according to me, it seems that it is still sent in the console, my use of the wrong way? 2、The green input in the console looks like this:
1、Hello, sample "ProtectBlazorPWA" and "ProtectBlazorPWAMultiTenant" program cannot be started, show lack of file "below \ service - worker js". How to execute these two samples after startup? How do you test it?Do you need to add a client to 5001? 2、Sample "UseOpenIddictAsDatasource" has an error here, what should it be? 3、and the project "CustomUserApi", which also has errors: these samples, how do I test to reflect his role?
User's Notification Method
The user notification method is utilized by the Identity Server to send notifications to the user via email, Firebase, or SMS. Therefore, when running the DeviceUseCIBA sample project, a consent message is sent to the user through the selected notification channel.
ProtectBlazorPwdMultitenant and ProtectBlazorPWA
We have not created any tutorials for both projects; however, we plan to do so in a future release (Ticket #688)
UseOpenIddictAsDatasource
I have resolved the build issues in the UseOpenIddictAsDatasource project. The goal is to demonstrate how to use the Microsoft.AspNetCore.Identity library as a data source by overriding the repository IUserRepository. While this sample project is not fully functional, it can serve as a guide for any developer looking to store users in Microsoft.AspNetCore.Identity.
CustomUserApi
I have resolved the build issues in the CustomUserApi project. The goal is to demonstrate how to use a REST API to retrieve user information. Although this sample project is not entirely functional, it can serve as a guide for any developer interested in managing users within their own REST API.
User's Notification Method
The user notification method is utilized by the Identity Server to send notifications to the user via email, Firebase, or SMS. Therefore, when running the DeviceUseCIBA sample project, a consent message is sent to the user through the selected notification channel.
ProtectBlazorPwdMultitenant and ProtectBlazorPWA
We have not created any tutorials for both projects; however, we plan to do so in a future release (Ticket #688)
UseOpenIddictAsDatasource
I have resolved the build issues in the UseOpenIddictAsDatasource project. The goal is to demonstrate how to use the Microsoft.AspNetCore.Identity library as a data source by overriding the repository IUserRepository. While this sample project is not fully functional, it can serve as a guide for any developer looking to store users in Microsoft.AspNetCore.Identity.
CustomUserApi
I have resolved the build issues in the CustomUserApi project. The goal is to demonstrate how to use a REST API to retrieve user information. Although this sample project is not entirely functional, it can serve as a guide for any developer interested in managing users within their own REST API.
User's Notification Method Yes, CIBA projects can indeed be sent according to my choice. But I am curious about the console in ACRS. I found that it could not be sent according to what I selected in user, but could only be found in the program black box of 5001. Then how can the user receive it? Is this just for internal testing?
Can you use FAPI to set 5001 ClientCertificateMode to NoCertificate? Currently, an error message will be displayed. The client certificate must be used. Does the FAPI process require the use of client certificates?
In accordance with security best practices outlined in FAPI 2.0, the client is required to employ a certificate for authentication. Consequently, the ClientCertificateMode cannot be configured as NoCertificate.
The 'console' authentication method is utilized for internal testing purposes. It generates an OTP code and displays it within the console application. :)
1、I tested the CIBA project. I changed the "Address" in the project to the 5001 project that I deploy to the server instead of the local 5001 project. When I use a browser to access "https:// server address: 5001/master/mtls/bc-authorize", the page says:
{ "error": "invalid_request", "error_description": "certificate is required" }
The "ClientCertificateMode" of the server's 5001 project has been set to "AllowCertificate". How am I supposed to fix this? 2、When 5001 is on the server, I need to install the ca certificate on the server. Where the ca certificate is installed depends on where 5001 is. As for why, I found that when I use the server 5001, I can install the ca certificate locally. This process cannot be completed before the ca is installed on the server. The server can run properly only after the ca is installed on the server. 3、When I changed all the places of the project "Regular Web Application (SAML2.0)" that used the local 5001 address to the server address, an error occurred when jumping to 5001 after starting the project:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem) at System.Threading.Tasks.TaskCompletionSourceWithCancellation
1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.HttpConnectionWaiter
1.WaitForConnectionAsync(Boolean async, CancellationToken requestCancellationToken) at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at SimpleIdServer.IdServer.Saml.Idp.Factories.Saml2ConfigurationFactory.LoadSPMetadata(Client client, CancellationToken cancellationToken) in D:\Aila\FW-IAM-Casbin\src\IdServer\SimpleIdServer.IdServer.Saml.Idp\Factories\Saml2ConfigurationFactory.cs:line 77 at SimpleIdServer.IdServer.Saml.Idp.Factories.Saml2ConfigurationFactory.BuildSamSpConfiguration(Client rp, CancellationToken cancellationToken) in D:\Aila\FW-IAM-Casbin\src\IdServer\SimpleIdServer.IdServer.Saml.Idp\Factories\Saml2ConfigurationFactory.cs:line 51 at SimpleIdServer.IdServer.Saml2.Api.SamlSSOController.GetClient(String issuer, String realm, CancellationToken cancellationToken) in D:\Aila\FW-IAM-Casbin\src\IdServer\SimpleIdServer.IdServer.Saml.Idp\Apis\SamlSSOController.cs:line 181 at SimpleIdServer.IdServer.Saml2.Api.SamlSSOController.LoginGet(String prefix, CancellationToken cancellationToken) in D:\Aila\FW-IAM-Casbin\src\IdServer\SimpleIdServer.IdServer.Saml.Idp\Apis\SamlSSOController.cs:line 77
Certificate Required
The displayed error message indicates that the selected certificate in your browser is incorrect. You must choose a valid Client Certificate and provide the parameters required by the Authorization endpoint. For additional information, please refer to the RFC: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
SAML Exception
An exception is thrown by the HTTP Client when attempting to load the metadata of the Service Provider (SP). I have made modifications in the master branch to ignore certificate errors.
Certificate Required
The displayed error message indicates that the selected certificate in your browser is incorrect. You must choose a valid Client Certificate and provide the parameters required by the Authorization endpoint. For additional information, please refer to the RFC: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
SAML Exception
An exception is thrown by the HTTP Client when attempting to load the metadata of the Service Provider (SP). I have made modifications in the master branch to ignore certificate errors.
Thank you for your reply, the problem has been solved
Hello, I tried to execute the "DeviceUseCIBA" project in your sample directory, following the process at that address: https://simpleidserver.com/docs/tutorial/ciba/ 1. Configure a client certificate My steps are as follows: After creating it, I downloaded the CA and installed it in the trusted root certificate authority location on my computer. Then I followed your process to create "Client Certificates" and downloaded them, but they were not installed on my computer: 2. Configure an application Created the client according to the process: 3. Create a consumption device Then open the "DeviceUseCIBA" project in your sample, replace the previously existing client certificate with the certificate I just downloaded again, and execute the project: Certificate loaded successfully: When the "response" is executed, the content displays 400, and the error message is: "error": "invalid_request","Error description": "Certificate is required" So it led to an error here, what is the situation?